The present disclosure relates generally to authentication and authorization, and more particularly to controlling resource access.
Third-party authentication and authorization for resource access is known, particularly when a dedicated third party is responsible for the authentication and authorization of a user attempting to access and utilize specific resources through the use of a client application which does not require the user to provide his/her own personal information (e.g., password) to the client application.
As an example, OAuth is a known architecture supporting third-party authentication and authorization. In the OAuth architecture, when a user requests access to a particular resource, a dedicated authorization server performs an identity authentication of both the user and the client application to determine whether to grant the access to the authorized resources. The authorization server is separate from the resource server that provides the resources. If access to the resources is granted, the authentication server may provide an access token corresponding to the granted access to the client application. The client application provides the access token to the resource server to indicate that the access request for the resources has been authorized.
Current third-party authentication and authorization solutions may not provide enough control granularity nor provide enough controllable aspects to reduce improper use of resources, privacy divulgence, etc. through their authentication and authorization services. Current third-party authentication and authorization solutions may be tightly coupled with the resource provider such that they cooperate and operate strictly in accordance with a predetermined protocol or rule to complete authentication of a user identity, authentication of a client application, and authentication of an access token. Such a closely coupled mechanism causes inflexibility of authentication and authorization, preventing, for example, the authentication server from performing a pertinent authentication and authorization process to a different resource and/or a different resource owner.